The report targets decision-makers and staff involved in developing information security awareness programs in financial organizations, a sector which is increasingly threatened by information security breaches. The average loss caused by theft of customer information is on the rise, as is the cost of responding to security incidents. Security breaches in financial organizations not only damage reputation but also cause heavy financial losses, which can be difficult to recover from.
According to the 2008 report of the UK Financial Services Authority (FSA), financial services firms could significantly improve their controls to prevent data loss or theft. Moreover, employees are now considered the single most likely cause of security incidents as confirmed by many international surveys including the 2007 Global State of Security and the 2008 BERR survey. Technical solutions are no longer the panacea that they might have been in the past. The effort to mitigate the security risks evolving around the human element is growing, and constitutes an important financial commitment for any organization.
The objectives of this publication are to explain the importance of information security awareness in financial organizations, to analyze the environment and the business drivers which may impact such programs, and to provide a communication framework to better organise an awareness initiative. Case studies and recommendations are given to help as a starting point for the awareness raising professionals and teams.
The first part of the report is an assessment of the environment of financial organizations and their main business drivers. In these environments, information security awareness must integrate with the ongoing information security and compliance requirements set by legal and industry mandates. It is extremely challenging to run information security awareness training initiatives and at the same time ensure business continuity and disaster recovery in such a demanding operational environment. This is because the flow of data, apart from requiring high levels of protection, cannot be stopped or reduced even for short periods of time in this type of business.
The paper then focuses on the landscape of international standards, fundamental legislation in place and certification objectives together with major risks, threats and end-user behavior with regard to information security. Several parameters define the awareness strategy to be followed in addition to those mentioned above, such as audience segmentation, roles and job functions, geographical location, multiculturalism and so forth.
The second part covers the different phases of implementation of awareness raising programs in financial organizations and the assessment of results. To ensure that information security awareness corresponds to the objectives of a financial institution, it should be a continuing and ever-evolving process. Factors to be taken into account in the planning, designing, implementation phases are presented in this chapter together with tools for measuring the success of awareness raising initiatives.
The third part includes practical advice, recommendations and case studies provided by a number of private organizations.